From: Markus Armbruster <armbru@redhat.com>
To: Tommaso Califano <califano.tommaso@gmail.com>
Cc: qemu-devel@nongnu.org, kvm@vger.kernel.org,
"Eduardo Habkost" <eduardo@habkost.net>,
"Markus Armbruster" <armbru@redhat.com>,
"Zhao Liu" <zhao1.liu@intel.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Marcelo Tosatti" <mtosatti@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Oliver Steffen" <osteffen@redhat.com>,
"Stefano Garzarella" <sgarzare@redhat.com>,
"Giuseppe Lettieri" <giuseppe.lettieri@unipi.it>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Luigi Leonardi" <leonardi@redhat.com>,
"Richard Henderson" <richard.henderson@linaro.org>
Subject: Re: [PATCH 4/5] i386/sev: Add launch measurement emulation and TIK property
Date: Thu, 19 Mar 2026 13:33:27 +0100 [thread overview]
Message-ID: <87pl50vw14.fsf@pond.sub.org> (raw)
In-Reply-To: <20260317113840.33017-5-califano.tommaso@gmail.com> (Tommaso Califano's message of "Tue, 17 Mar 2026 12:38:39 +0100")
Tommaso Califano <califano.tommaso@gmail.com> writes:
> The next step for completing the SEV launch emulation is to implement the
> "query-sev-launch-measure" feature, responsible for returning the
> measurement. In this case the measurement will be computed in QEMU.
>
> Implement sev_emulated_launch_get_measure() to emulate the LAUNCH_MEASURE
> command per AMD SEV API spec section 6.5.1. It generates a random 16-byte
> mnonce, computes the launch digest as SHA-256 over ld_data, then derives
> the measurement via HMAC-SHA256
> (TIK;0x04|| API version || build ID || policy || launch digest || mnonce).
> The base64-encoded result (32-byte HMAC + 16-byte mnonce) populates
> "query-sev-launch-measure" data, advancing state to LAUNCH_SECRET for
> secret injection.
>
> The TIK is supplied via 16-byte binary file specified in new
> SevEmulatedProperty "tik" path; absent this, keys default to zeroed.
> Example QEMU arguments with the key passed:
>
> -cpu "EPYC-Milan" \
> -accel tcg \
> -object sev-emulated,id=sev0,cbitpos=47,reduced-phys-bits=1,\
> tik=/path/to/tik.bin \
> -machine memory-encryption=sev0
>
> Signed-off-by: Tommaso Califano <califano.tommaso@gmail.com>
> ---
> qapi/qom.json | 3 +-
> target/i386/sev.c | 155 ++++++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 157 insertions(+), 1 deletion(-)
>
> diff --git a/qapi/qom.json b/qapi/qom.json
> index 35cda819ec..affb5024b5 100644
> --- a/qapi/qom.json
> +++ b/qapi/qom.json
> @@ -1064,11 +1064,12 @@
> # This object functionally emulates AMD SEV hardware via TCG, so
> # it does not require real hardware to run.
> #
> +# @tik: binary file of the SEV TIK (default: all 0).
Is this a file name?
Blank line here, please.
> # Since: 10.1.0
> ##
> { 'struct': 'SevEmulatedProperties',
> 'base': 'SevGuestProperties',
> - 'data': {}}
> + 'data': {'*tik': 'str'}}
>
> ##
> # @SevSnpGuestProperties:
[...]
next prev parent reply other threads:[~2026-03-19 12:33 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-17 11:38 [PATCH 0/5] i386/sev: Add TCG-emulated AMD SEV guest support Tommaso Califano
2026-03-17 11:38 ` [PATCH 1/5] i386/sev: Add sev-emulated QOM object with TCG support Tommaso Califano
2026-03-19 12:31 ` Markus Armbruster
2026-03-20 14:25 ` Tommaso Califano
2026-03-20 14:48 ` Markus Armbruster
2026-03-20 15:34 ` Tommaso Califano
2026-03-19 17:49 ` Daniel P. Berrangé
2026-03-20 7:44 ` Markus Armbruster
2026-03-20 12:40 ` Daniel P. Berrangé
2026-03-20 15:23 ` Tommaso Califano
2026-03-23 7:24 ` Markus Armbruster
2026-03-20 12:39 ` Daniel P. Berrangé
2026-03-20 15:03 ` Tommaso Califano
2026-03-20 15:32 ` Tommaso Califano
2026-03-17 11:38 ` [PATCH 2/5] target/i386: Add MSR SEV support and C-bit reset on TCG Tommaso Califano
2026-03-17 11:38 ` [PATCH 3/5] i386/sev: Implement SEV launch state sequence and query-sev Tommaso Califano
2026-03-17 11:38 ` [PATCH 4/5] i386/sev: Add launch measurement emulation and TIK property Tommaso Califano
2026-03-19 12:33 ` Markus Armbruster [this message]
2026-03-20 14:31 ` Tommaso Califano
2026-03-17 11:38 ` [PATCH 5/5] i386/sev: Implement emulated launch secret injection and TEK property Tommaso Califano
2026-03-17 13:01 ` [PATCH 0/5] i386/sev: Add TCG-emulated AMD SEV guest support Luigi Leonardi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pl50vw14.fsf@pond.sub.org \
--to=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=califano.tommaso@gmail.com \
--cc=eblake@redhat.com \
--cc=eduardo@habkost.net \
--cc=giuseppe.lettieri@unipi.it \
--cc=kvm@vger.kernel.org \
--cc=leonardi@redhat.com \
--cc=mtosatti@redhat.com \
--cc=osteffen@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=sgarzare@redhat.com \
--cc=zhao1.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.